Thanks for the detailed read, Brian. You’re right that in the symmetric case,
either the issuer or the presenter can create the symmetric PoP key and share
it with the other party, since the effect is equivalent. I suspect that both
the key distribution draft and this draft should be updated with a sentence or
two saying that either approach can be taken. Do others concur?
-- Mike
From: Brian Campbell [mailto:bcampb...@pingidentity.com]
Sent: Thursday, November 05, 2015 7:48 AM
To: Mike Jones
Cc: Kepeng Li; oauth@ietf.org
Subject: Re: [OAUTH-WG] Proof-of-Possession Key Semantics for JWTs spec
addressing final shepherd comment
+1 for the diagrams making the document more understandable.
One little nit/question, step 1 in both Symmetric and Asymmetric keys shows the
Presenter sending the key to the Issuer. It's possible, however, for the key to
be sent the other way. Presenter sending it to the Issuer is probably preferred
for asymmetric, especially if the client can secure the private keys in
hardware. But I don't know if one way or the other is clearly better for
symmetric case and PoP key distribution currently has it the other
way<https://tools.ietf.org/html/draft-ietf-oauth-pop-key-distribution-02#section-4.2>.
Should the intro text somehow mention the possibility that the Issuer could
create the key and send it to the Presenter?
I know it's only the introduction but it was just something that jumped out at
me.
On Wed, Nov 4, 2015 at 9:04 AM, Mike Jones
<michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>> wrote:
Thanks for suggesting the diagrams, Kepeng. They make the document more
understandable.
-- Mike
________________________________
From: Kepeng Li<mailto:kepeng....@alibaba-inc.com>
Sent: 11/5/2015 12:57 AM
To: Mike Jones<mailto:michael.jo...@microsoft.com>;
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: Proof-of-Possession Key Semantics for JWTs spec addressing final
shepherd comment
Thank you Mike.
The diagrams look good to me.
Kind Regards
Kepeng
发件人: Mike Jones
<michael.jo...@microsoft.com<mailto:michael.jo...@microsoft.com>>
日期: Thursday, 5 November, 2015 12:32 am
至: "oauth@ietf.org<mailto:oauth@ietf.org>"
<oauth@ietf.org<mailto:oauth@ietf.org>>
抄送: Li Kepeng <kepeng....@alibaba-inc.com<mailto:kepeng....@alibaba-inc.com>>
主题: Proof-of-Possession Key Semantics for JWTs spec addressing final shepherd
comment
Proof-of-Possession Key Semantics for JWTs draft -06 addresses the remaining
document shepherd comment – adding use case diagrams to the introduction.
The updated specification is available at:
· http://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession-06
An HTML formatted version is also available at:
·
https://self-issued.info/docs/draft-ietf-oauth-proof-of-possession-06.html
-- Mike
P.S. This note was also posted at http://self-issued.info/?p=1471 and as
@selfissued<https://twitter.com/selfissued>.
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
